On Mon 2016-09-05 02:48:54 -0400, Jonathan de Boyne Pollard wrote:
> Daniel Kahn Gillmor:
>
>> #!/bin/sh
>> mkdir -p /run/kresd/workdir && \
>> setfacl -m u:kresd:rwx /run/kresd/workdir && \
>> cd /run/kresd/workdir && \
>> exec listen -udp::53 \
>> -tcp::53 \
>> -tcp:label=tls:853 \
>> -unix:label=control,mode=0600:/run/kresd/control \
>> chpst -u kresd -p 1 \
>> /usr/sbin/kresd
>
> start:
>
> #!/bin/sh -e
> install -d -m 0755 -o kresd /run/kresd/workdir
>
> stop:
>
> #!/bin/sh -e
> rm -r /run/kresd/
>
> run:
>
> #!/bin/nosh
> udp-socket-listen --systemd-compatibility --combine4and6 :: domain
> tcp-socket-listen --systemd-compatibility --combine4and6 --backlog 2 :: domain
> local-datagram-socket-listen --systemd-compatibility --mode 0666 /run/kresd/query.socket
> local-stream-socket-listen --systemd-compatibility --mode 0600 /run/kresd/control
> ./service
>
> service:
>
> #!/bin/nosh
> chdir /run/kresd/workdir
> softlimit -p 1
> setuidgid kresd
> kresd
Thanks, this looks pretty cool.
a couple caveats:
* i don't see where the label for the sockets is passed in. how is the
daemon supposed to know whether to listen on the tcp socket using TLS
or not? How is it supposed to know whether the unix domain socket is
for control or for recursive DNS queries?
* it looks like this will result in a chain of proceses: nosh → nosh →
kresd, rather than a single process due to the lack of exec. or am i
misunderstanding nosh?
I see you've got debian packages available for nosh, but they aren't in
debian proper. have you considered putting them into debian?
--dkg
Received on Tue Sep 06 2016 - 03:45:05 UTC